Most frivolous Windows users would have had their antivirus shouting at some point of time with a message “Alert! A virus was found” and then popping windows that mention “kavo.exe”. kavo.exe is a smart trojan that installs and autorun.inf in your C:\ making sure it updates itself everytime you connect to the internet. The bad news is that this can be quite irritating and painful as most antivirus software fail to remove it. The good news is that a little bit of common sense can help!
So lets go ahead and get rid of the kavos and tavos on our own!

First and foremost check for an autorun.inf file in C:\. Open the file and check if has references to kavo or tavo. Delete such a file.

Delete all files in C:\ that have a “.com” extension.

Goto C:\Windows\system32\

Search for “kavo”, you would get results like kavo.exe, kavo.dll, kavo0.dll, kavo1.dll. Go ahead and delete kavo.dll and then kavo.exe. Then try to delete the other kavo dll files. If you get a message that the file are in use and cannot be deleted restart your computer and try deleting them again. In this manner delete all “kavo” files from system32.

Search for “tavo” and repeat the procedure explained for kavo.

Now all your bad files are gone and you just need to remove the registry entries.

Hit Windows+Run and type “regedit”. Browse to HKCU\Software\Microsoft\Windows\CurrentVersion\Run and delete entries that have the name kava and tava. More easily download CCleaner and run the registry scan from it. This will show you all unwanted registry entries. kava and tava would also be listed as we have removed the exes related to them. Click on “Fix selected issues” and do not take a backup of the registry.

Now delete all weirdly named files from C:\. Typically they would belong to the list below:

I seemed to have gotten this one as well. While it is active, it undoes any changes to the registry setting which controls your ability to see hidden files/folders. The version I have seems to be creating a fo.exe file on any drives connected to the computer and it creates a klif.dll file every time I open the C: drive so I am sure there is an unseen Autorun.inf file there as well. It also puts itself in several restore spots. I will be trying your steps as soon as the next scan is done. Thanks for your blog here, it is a great time saver.

I should also note, that none of the above files were found during the scan, possibly deleted in a previous scan. In order to return the ability to view hidden files the registry setting is at \HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL the CheckedValue and DefaultValue should be changed to 1